Given the pace of technological innovations in electronic communications, and the breadth of possible communications subject to review, NASD and NYSE are issuing this Joint Request for Comment to solicit comments from members and other interested parties on proposed Joint Guidance regarding the review and supervision of electronic communications. The proposed Joint Guidance sets forth principles for members to consider when developing supervisory systems and procedures for electronic communications that are reasonably designed to achieve compliance with applicable federal securities laws and self-regulatory organization rules.

Attachment A sets forth the proposed Joint Guidance on the review and supervision of electronic communications.

Action Requested

Comment on the proposed Joint Guidance. Comments must be received by July 13, 2007. Members and other interested persons can submit their comments using the following methods:

The only comments that will be considered are those
submitted pursuant to the methods set forth above (or submitted pursuant to
NYSE's stated methods). All comments received by NASD in response to this
Joint Request for Comment will be made available to the public on the NASD
Web site. Generally, comments will be posted on the NASD Web site one week
following the expiration of the comment period.1

Questions/Further Information

Questions concerning this Joint Request for Comment should be directed to Donald K. Lopezi, Deputy Director, Examinations Program, at (202) 728-8132; or Patricia Albrecht, Assistant General Counsel, Office of General Counsel, at (202) 728-8026.

1See NASD Notice to Members 03-73 (November 2003) (NASD Announces Online Availability of Comments). Personal identifying information, such as names or email addresses, will not be edited from submissions. Submit only information that you wish to make publicly available.

ATTACHMENT A—PROPOSED JOINT GUIDANCE

REVIEW AND SUPERVISION OF ELECTRONIC COMMUNICATIONS

I. INTRODUCTION

Technological innovations in the area of electronic communications1 have altered how people deliver, receive, and store communications. These innovations have brought, and continue to bring, new challenges to members2 in the establishment of supervisory systems and procedures for electronic communications that are reasonably designed to achieve compliance with applicable federal securities laws and self-regulatory organization rules.3

With these challenges in mind, the NYSE and NASD (the "SROs") are issuing this guidance for members to consider when developing such systems and procedures. In the course of formulating this guidance, the SROs have consulted with industry experts in addition to drawing on their own experience in the area of electronic communication supervision. This guidance does not specifically address every regulatory issue that may arise in connection with the supervision of electronic communications. Further, the SROs recognize that policies and procedures may differ among members depending on their business model (e.g., size, structure, customer base, and product mix).4

II. REVIEW AND SUPERVISION OF ELECTRONIC COMMUNICATIONS

At one time, the SROs required that members review all correspondence of their registered representatives pertaining to the solicitation or execution of any securities transactions. In 1998, recognizing that the growing use of electronic communications such as e-mail made adherence to this requirement difficult, the SROs amended their rules to allow members the flexibility to design supervisory review procedures for correspondence with the public that are appropriate to the individual member's business model.5

In considering this Joint Guidance, members generally may decide by employing risk-based principles the extent to which the review of electronic communications, both internal and external, is necessary in accordance with the supervision of their business. However, members must have policies and procedures for the review by a supervisor of employees' 6 incoming and outgoing electronic communications that are of a subject matter that require review under SRO rules and federal securities laws. For example (without limitation):

(1) NYSE Rule 472(b)(3) and NASD Rule 2711(b)(3)(A) require that a member's legal and compliance department be copied on communications between non-research and research departments concerning the content of a research report; NYSE Rule 472(a) and NASD Rules 2210 and 2211 require pre-approval by a principal of specified communications with the public;

(2) NYSE Rule 351(d) and NASD Rule 3070(c) require the identification and reporting of customer complaints; NYSE Rule 401A requires that the receipt of each complaint be acknowledged by the member to the customer within 15 business days; and

(3) NYSE Rule 410 and NASD Rule 3110(j) require the identification and prior written approval of every order error and other account designation change.

When employing risk-based procedures to review electronic communications, members should consider how to effectively:

(1) "flag" electronic communications that may evidence or contain customer complaints, problems, errors, orders, or other instructions for an account; or evidence conduct inconsistent with SRO rules, federal securities laws, and other matters of importance to the member's ability to adequately supervise its business and manage the member's reputational, financial, and litigation risk;

(2) identify such other business areas the member may identify as warranting supervisory review; and

(3) educate employees to understand and comply with the member's policies and procedures regarding electronic communications.

In adopting such supervisory review procedures, existing interpretive material directs members to, among other things:7

• Identify the types of correspondence that will be pre- or post-reviewed;

• Identify the organizational position(s) responsible for conducting reviews of the different types of correspondence;

• Monitor the implementation of, and compliance with, the member's procedures for reviewing public correspondence;8

• Periodically re-evaluate the effectiveness of the member's procedures for reviewing public correspondence and consider any necessary revisions;9

• Provide that all customer complaints, whether received via e-mail or in other written form, are reported to the SROs in compliance with the SRO reporting requirements;10

• Prohibit employees from the use of electronic communications unless such communications are subject to supervisory and review procedures developed by the member;11 and

• Conduct necessary and appropriate training and education.

Member electronic communications related to a member's business are subject to its overall supervisory and review procedures.12 They are also subject to SRO rule requirements specifically addressing communications with the public.13

The growth of electronic communications has raised the need for further interpretative guidance. For ease of use, the guidance that follows is divided into six categories:

• Written Policies and Procedures

• Types of Electronic Communications Requiring Review

• Identification of the Person(s) Responsible for the Review of Electronic Communications

• Method of Review for Correspondence

• Frequency of the Review of Correspondence

• Documentation of the Review of Correspondence

A. WRITTEN POLICIES AND PROCEDURES

The path towards an effective supervisory system starts with clear policies and procedures for the general use and supervision of electronic communications, both internal and external, which are updated to address new technologies. For example, a general electronic communications policy written five years ago may well not include policies to regulate employees' use of technologies such as weblogs14 and podcasting15 to communicate with the public.

From a general procedural perspective, members should provide their employees with the following:

• Quick and easy access to electronic communication policies and procedures through, for example, the member's intranet system. (Members should make clear to all employees that they are responsible for complying with these policies and procedures upon their employment. Updates to such policies should be made accessible to all employees in a timely manner, pursuant to the member's procedures.)

• A clear list of permissible electronic communication mechanisms (including a clear statement that all other mechanisms are prohibited). For example, if employees are permitted to utilize only the member's e-mail and instant messaging system, then this should be clearly and unambiguously stated in the member's policies and procedures. Members should also make clear if certain communication mechanisms may only be used for communications between employees of the member (versus mechanisms that may also be used for communications with the public). Members should be cognizant that vague language addressing these issues may leave room for unwanted individual interpretation.

• Training on a regular and as-needed basis. Members should include information in their training and compliance programs describing examples of permissible and prohibited technologies. In addition, while all employees should receive training with respect to the member's general electronic communication policies and procedures, there may be certain employees whose training should be further tailored to their specific business function. For example, a member may implement additional prohibitions on internal communications between business units that are privy to certain non-public information (e.g., investment banking and research and proprietary trading).

B. TYPES OF ELECTRONIC COMMUNICATIONS REQUIRING REVIEW

External Communications

As discussed above, members must have reasonable policies and procedures for the supervisory review of electronic communications that require review under SRO rules16 and federal securities laws. Members may employ risk-based principles to determine the extent to which additional supervisory policies and procedures are required to adequately supervise their business and manage the member's reputational, financial, and litigation risk.

Members also are required to establish policies and procedures regarding the forms of electronic communications that they permit employees to use when conducting business with the public and to take reasonable steps to monitor for compliance with such policies and procedures.

Traditionally, members have limited employees' electronic communications with customers to a member-supplied e-mail address that is connected to the member's communication network. However, as technology has evolved, employees now have a myriad of ways to communicate electronically with the public. To the extent members prohibit certain types of communication media, consideration should be given to taking technological steps to block or otherwise regulate their external and internal use. In particular, members should consider the following options:

Non-Member E-Mail Platforms—Employees have the ability to communicate via e-mail through means other than their member-issued e-mail address by accessing e-mail platforms through the Internet (e.g., through AOL or Yahoo mail) and through third-party communication systems such as Bloomberg and Reuters. If a member permits employees to communicate with customers through these systems or through other non-member e-mail addresses, the member is required to supervise and retain those communications. Some members prohibit, through policies and procedures, employees from accessing non-member e-mail platforms for business purposes, and require employees to certify on an annual or more frequent basis that they are acting consistent with such policies and procedures. Where possible, some members have chosen to block access to these e-mail platforms through their networks. Thus, an employee would be able to access the Internet but not the e-mail functionality. Members utilizing this blocking functionality should periodically conduct tests to ensure that it is functioning as designed or intended.

Similarly, the SROs expect members to prohibit, through policies and procedures, communications with the public for business purposes from employees' own electronic devices unless the member is capable of supervising, receiving, and retaining such communications.17 Absent a prohibition, members should consider requiring pre-approval for the business-related use of any personal electronic communications device. The approval process might require a detailed business justification for using the personal device and an annual re-certification of the approval that includes a re-evaluation of the business justification for its use. In addition, members should consider obtaining agreements from employees authorizing the member to access any such personal electronic communications devices. Members should also consider prohibiting, where appropriate, the use of personal electronic communication devices in certain sensitive firm locations (e.g., where material non-public information could be accessed).

Message Boards—There are various publicly accessible message boards related to the securities industry. Members may consider blocking access by their employees to these message boards18 to prevent them from communicating through these boards for business purposes.

E-Faxes—The use of traditional facsimile machines has started to decline as E-fax software has developed. The SROs view E-faxes as electronic communications and, thus, members should supervise them accordingly.19

When a member permits the use of any technology, the member's system of supervision should be reasonably designed to achieve compliance with applicable laws, rules, and regulations.

Internal Communications

As stated above, with the exception of the enumerated areas requiring review by a supervisor, members may decide, employing risk-based principles, the extent to which review of any internal communications is necessary in accordance with the supervision of their business.

Subject to any such specific rule requirement mandating reviews, in reaching a risk-based assessment regarding the review of internal communications, consideration should be given to, for instance: detecting when a member's information barriers are not working to protect customer or issuer information; protecting against undue influence on research personnel contrary to SRO rules; and segregating the member's proprietary trading desk activity from all or part of the other operating areas of the member.20

In addition, members may consider various relevant existing processes, such as:

• Conflict-management efforts—Steps taken to reduce, manage, or eliminate potential conflicts of interest, including implementing firewalls to prevent electronic communications between certain individuals/groups or monitoring communications as required by SRO rules (e.g., between non-research and research departments) or as otherwise appropriate. Members should review to determine whether adequate information barriers are in place.

• Reviews of internal electronic communications that occur in connection with branch or desk examinations and regulatory inquiries, examinations, or investigations.

• Reviews of internal electronic communications that occur as a result of issues identified in connection with external electronic communication reviews.

C. IDENTIFICATION OF THE PERSON(S) RESPONSIBLE FOR THE REVIEW OF ELECTRONIC COMMUNICATIONS

Members' procedures for review of electronic communications (internal and external) should address the following:

• Members' procedures should clearly identify the person(s) responsible for performing the reviews. Evidence of review can be satisfied by use of a log or other record from the electronic communication system that identifies the reviewers.

• The supervisor/principal must evidence his or her supervision as required by SRO rules.21

• In the course of supervising electronic communications, a supervisor/principal may delegate certain functions to persons who need not be registered.22 However, the supervisor/principal remains ultimately responsible for the performance of all necessary supervisory reviews, irrespective of whether he or she delegates functions related to the review. Accordingly, supervisors must take reasonable and appropriate action to ensure delegated functions are properly executed and should evidence performance of their procedures sufficiently to demonstrate overall supervisory control.23

• Where review functions are delegated, the procedures must provide a protocol to escalate regulatory issues to the designated supervisor or other appropriate department.

• All reviewers must have sufficient knowledge, experience, and training to adequately perform the reviews. Members should be able to demonstrate that the reviewers meet these criteria. This could include: prior supervisory or other experience, years of service in the industry, professional licenses, completion of firm and regulatory element training, product knowledge, educational degrees, knowledge of member products and services, lecturing at, or attending, industry seminars and courses, other training, length of service at the member, familiarity with member systems and tools, and prior regulatory experience.

• Unless a member's size and/or structure (e.g., a sole proprietor) is such that the member has no other reasonable alternative for reviewing an individual's electronic communications, an individual may not conduct supervisory reviews of his or her own electronic communications.

D. METHOD OF REVIEW FOR CORRESPONDENCE

Members should develop review procedures that are both reasonably designed to achieve compliance with applicable securities laws, regulations, and SRO rules and appropriate for their business and structure, consistent with the principles set forth in this Joint Guidance. In addition, members should monitor for compliance with their supervisory procedures' prescribed frequency, timeliness, and quantity parameters.

Regardless of the method utilized, members should alert their reviewers as to the issues to be raised and material to be examined, including acceptable content. For example, members should make reference to the content standards in NYSE Rule 472 and NASD Rule 2210 and provide guidance concerning other applicable areas of concern (e.g., the use of confidential, proprietary, and inside information; anti-money laundering issues; gifts and gratuities; private securities transactions; customer complaints; front-running; and rumor spreading). When reviewing customer complaints, members should look for indicia that a customer has received a communication that is not in conformance with the member's policies and procedures.

In addition, where members permit the use and receipt of encrypted electronic communications, they must be able to monitor and supervise those communications and must educate reviewers on how this can be accomplished. (See "Combination of Lexicon and Random Review of Electronic Correspondence" below).

Furthermore, members must be able to review electronic correspondence in all languages in which they conduct business with the public. Therefore, if the reviewer is not fluent in the language used in an e-mail, the member should require proper independent interpretation and review (i.e., not by the author/recipient of the correspondence).

Under limited circumstances, members should consider having their legal and/or compliance departments re-review e-mails that have already been reviewed by line supervisors and their delegatees in certain situations. Re-review might be advisable when specific problems have been identified at a branch office resulting, for instance, in a registered representative becoming the subject of an internal investigation. Members should also consider re-reviewing selected electronic communications as part of their standard branch office inspection program.

Against this background, members may consider the following methods of review:

• Lexicon-based Reviews of Electronic Correspondence—Members using lexicon-based reviews (those based on sensitive words or phrases, the presence of which may signal problematic communications) of correspondence should utilize an appropriate lexicon, take reasonable security measures to keep the list confidential, and periodically evaluate the efficacy of the lexicon. Members must make informed decisions regarding how best to utilize the surveillance tools they have chosen. Thus, a member that conducts lexicon-based reviews may determine that it is not necessary to review each and every lexicon "hit" in order to maintain an effective review system. The rationale for such determinations should be maintained as part of the member's policies and procedures.

Members should also consider regular periodic reviews of the lexicon system to determine whether any changes/updates are necessary, such as adding or deleting phrases and/or words. Members should periodically inquire as to the effectiveness of the system, especially if the system is that of a vendor.24 Members are responsible for ensuring that the system utilized is functioning properly. As discussed more fully below, if a member does not have confidence in the effectiveness of its lexicon system, a supplemental random review of electronic communications should be considered.

Members should consider targeted concentrated reviews of employees' e-mails when warranted (e.g., when concerns are raised in connection with regulatory examination findings, internal audits, customer complaints, or regulatory inquiries).

When assessing the effectiveness of a lexicon-based system, members should consider the following features:

(a) A meaningful list of phrases and/or words (including industry "jargon") based on the size of the member, its type of business, its customer base, and its location (including any branch offices that may require the inclusion of certain foreign language components). The lexicon system should be comprehensive enough to yield a meaningful sample of "flagged" communications.

(b) Ability to add and delete phrases and words on an ongoing basis.

(c) Ability to review attachments and identify attachments that could circumvent lexicon-based reviews.

(d) Ability to restrict access to the phrases and/or words that make up the lexicon system.

(e) Ability to conduct searches that exclude any trailers or disclaimers used by the member, as these trailers or disclaimers often contain sensitive words such as "guarantee" (e.g., "firm does not guarantee") which would "flag" every such e-mail.

• Random Review of Electronic Correspondence—Members may choose to use a reasonable percentage sampling technique, whereby some percentage of the electronic communications generated by the member is reviewed. There is no prescribed minimum or fixed percentage that is required by regulation. However, the amount of electronic communications chosen for review must be reasonable given the circumstances (for example, member size, nature of business, customer base, and individual employee circumstances). In this regard, members conducting random reviews may consider factors such as:

(a) Percentage of Electronic Correspondence Based on a Branch Office, Department, or Business Unit—For a branch office, department, or business unit, a member could establish a percentage of electronic communications requiring review that is based on its size, type of business, customer base, and location (including its sales locations), which includes e-mails from each individual in that branch office, department, or business unit.

(b) Percentage of Electronic Correspondence for Each Individual—For each individual in a branch office, department, or business unit, a member could establish a percentage of e-mails requiring review based on its size, type of business, supervisory structure (including whether certain locations are supervised remotely), customer base, and location including its branch offices. Members should not necessarily limit themselves to reviewing the same percentage of e-mails for each employee. For example, an individual with disciplinary history or subject to special supervision may warrant a review encompassing a higher percentage of e-mails.

• Combination of Lexicon and Random Review of Electronic Correspondence—Given the strengths and weaknesses of any single review tool, members should consider complementary review techniques. For instance, members should note that while lexicon system-tracking capabilities have become considerably more sophisticated and effective over the past few years, as of this writing they are incapable of reading documents or document attachments that are password protected or encrypted. Further, the use of image files, such as "jpgs," can be used to pass information through lexicon filters undetected. In addition, a registered representative determined to circumvent a lexicon system may be able to do so by simply avoiding the use of words likely to "trigger" the system.

• Standards Applicable to All Review Systems—The manner and extent to which review tools are utilized is a determination to be made by each member, based on its business model. However, to best assure the effectiveness over time of any system, members should incorporate ongoing evaluation procedures to identify and address any "loopholes" or other issues that may arise as the means of transmitting sensitive information "under the regulatory radar" become more sophisticated and difficult to capture. Members' written procedures should delineate the additional reviews that will be conducted when such issues are identified. Members utilizing automated tools or systems in the course of their supervisory review of electronic communications must have an understanding of the limitations of such tools or systems (for example, see the potential limitations of lexicon systems noted above) and should consider what, if any, further supervisory review is necessary in light of such limitations.25

E. FREQUENCY OF THE REVIEW OF CORRESPONDENCE

• Frequency of correspondence review may vary depending on the business. For instance, the frequency of review should be related to the type of business conducted (i.e., the market sensitivity of the activity); the type of customers involved; the scope of the activities; the geographical location of the activities; the disciplinary record of covered persons; and the volume of the communications subject to review.

• Members should prescribe reasonable timeframes within which supervisors are expected to complete their reviews of correspondence, taking into consideration the type of review being conducted and the method of review being used. When determining the reasonableness of such timeframes, members should carefully consider the type of business their firm is conducting and the extent to which a review's usefulness, in the context of that business, is diminished by the passage of time. For example, a member with a primarily retail customer base may need to conduct more frequent reviews than a member that exclusively conducts institutional business.

F. DOCUMENTATION OF THE REVIEW OF CORRESPONDENCE

• Members must evidence their reviews, whether electronically or on paper,26 and be able to reasonably demonstrate that such reviews were conducted.

• The evidence of review should, at a minimum, clearly identify the reviewer, the communication that was reviewed, the date of review, and the steps taken as a result of any significant regulatory issues that were identified during the course of the review. Members should remind their reviewers that merely opening the communication will not be deemed a sufficient review.

III. CONCLUSION

As noted above, the SROs are issuing this Joint Guidance to assist members in the establishment and maintenance of supervisory systems for electronic communications that are reasonably designed to achieve compliance with the federal securities laws and self-regulatory organization rules. Members must recognize, however, that this guidance is not all-inclusive and does not represent all areas of inquiry that a member should consider when establishing and maintaining a supervisory system for electronic communications, including any existing and future electronic communications technology that this guidance may not address. In addition, members are advised that this guidance does not serve to establish a safe harbor with respect to potential supervisory or compliance deficiencies.

1 For purposes of this Joint Guidance, "electronic communications," "e-mail," and "electronic correspondence" may be used interchangeably and can include such forms of electronic communications as instant messaging and text messaging. Notwithstanding such use of terminology, as further detailed herein, the manner of application of SRO rules specifically addressing particular communications with the public (see, e.g., NASD Rules 2210 and 2211 and NYSE Rules 342 and 472) will depend on the type of communication.

2 For purposes of this Joint Guidance, the term "member" refers to NYSE member organizations and NASD members.

4 The SROs have fashioned rule provisions that, where appropriate, take into account variations in members' size or business model. See, e.g., NYSE Rules 342.23 (Offices—Approval, Supervision and Control—Internal Controls) and 472(m) (Communications with the Public—Small Firm Exception). See also NASD Rules 3012 (Supervisory Control System) and 2711 (Research Analysts and Research Reports).

5See NYSE Information Memo 98-3 (January 16, 1998) and NASD Notices to Members 98-11 (January 1998) and 99-03 (January 1999). See also NYSE Rule 342.17 (Offices—Approval, Supervision and Control—Review of Communications with Public) and NASD Rule 3010 (Supervision). Additionally, NASD Rule 2211 (Institutional Sales Material and Correspondence) defines "correspondence" as any written letter or electronic mail message distributed by a member to (1) one or more existing retail customers, and (2) fewer than 25 prospective retail customers within any 30 calendar-day period. Members are not required to approve outgoing "correspondence" prior to use unless the correspondence is sent to 25 or more existing retail customers within a 30 calendar-day period and makes a financial or investment recommendation or otherwise promotes a product or service of the member. NASD Rule 2211 also allows members to adopt supervisory procedures for communications distributed only to certain institutional investors that do not require principal pre-use review and approval. See also SR-NYSE-2007-49 which proposes amendments that would generally exempt from pre-use review and approval correspondence and institutional sales material, as defined.

6 For purposes of NASD rules, the term "employees" includes all associated persons.

8 The SROs recognize that, as appropriate evidence of review, e-mail related to members' investment banking or securities business may be reviewed electronically and the evidence of the review may be recorded electronically (see NYSE Information Memo 98-3 and NASD Notice to Members 98-11).

9See also NYSE Rule 342 and NASD Rule 3012, requiring implementation of a supervisory control system.

11 For example, the SROs expect members to prohibit, through policies and procedures, communications with the public from employees' home computers unless the member is capable of supervising and retaining such communications.

12See NYSE Rules 342.16 and 342.17 (Offices-Approval, Supervision and Control—Supervision of Registered Representatives and Review of Communications with the Public) and NASD Rules 2210 (Communications with the Public) and 2211 (Institutional Sales Material and Correspondence). See also NASD Rule 3010 (Supervision) and NASD Rule 3010(d) (Review of Transactions and Correspondence). (NASD staff notes its intention to propose amendments to Rule 3010(d)(2) to eliminate outdated distinctions between certain hard copy and electronic communications and to reflect this Joint Guidance.)

13See NASD Rules 2210 and 2211. See also NASD Guide to the Internet for Registered Representatives, available at http://www.nasd.com/RulesRegulation/IssueCenter/Advertising/NASDW_0061 18. See also NYSE Rule 472(a), which requires pre-approval for any advertisement, market letter, sales literature, communication, or research report that is distributed or made available to a customer or the public by a member.

14 A "weblog" (often referred to as a "blog") is a web-based publication consisting primarily of periodic reports (generally in reverse chronological order). Similar to other media, blogs often focus on particular subjects (e.g., politics) and combine text, images, and links to other blogs, web pages, and other media related topics.

15 "Podcasting" is a method of distributing multimedia files (i.e., audio or video content) over the Internet for playback on mobile devices and personal computers.

17 Firms should be aware that pursuant to NYSE Rule 342.10(B) and NASD Rule 3010(g)(2), employees working at their primary residences and relying on the exception from branch office registration cannot use their personal e-mail accounts to communicate with potential or existing customers from such locations; electronic communications from such locations must be made through the member's electronic system consistent with the terms of the exception. See generally NYSE Information Memos 05-74 (October 6, 2005) and 06-13 (March 22, 2006) and NASD Notice to Members 06-12 (March 2006).

18 NASD views message boards as advertisements under NASD Rule 2210, and such board postings must be approved prior to use and in writing by a registered principal. (See "Ask the Analyst About Electronic Communications," NASD Regulatory & Compliance Alert, April 1996.)

19 NASD views E-faxes sent to 25 or more prospective retail customers within a 30 calendar-day period to be sales literature under NASD Rule 2210, and they must be approved prior to use and in writing by a registered principal. NASD also requires principal pre-use approval for E-faxes sent to 25 or more existing retail customers within any 30 calendar-day period that make any financial or investment recommendation or otherwise promote a product or service of the member. See NASD Notice to Members 06-45 (August 2006).

24See proposed NYSE Rule 340 (Outsourcing: Due Diligence in the Use of Service Providers) at SR-NYSE-2005-22 and NASD Notice to Members 05-48 (July 2005) (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers).